Mikrotik - Limit Upload Speed On Specific Port - firewall

I have set a NAT Rule for chain=dstnat action=dst-nat port=1234 and is working ok, I can access application from internet to my local pc, now i want to limit this port=1234 on upload speed but i cant do it!
On Simple Queues there is option but to limit on IP Address not on port, i use multiple ports so i want to limit on port. Is this possible ?
Thank you.

It's possible, you'll need a setup where mark packets on mangle table.
/ip firewall mangle
add action=mark-packet chain=forward dst-port=1234 new-packet-mark=custom-port passthrough=no protocol=tcp
After that, you can do traffic shapping on those marked packets.
/ queue simple
add name="custom-port" parent=main packet-marks=custom-port max-limit=240000/500000 priority=1

Related

Create an iptable or BPF rule to only allow OpenVPN traffic to a connection port 1194 and drop all other traffic going to that port

How's it going everyone? I am trying to create either an iptable or a BPF rule which will only allow OpenVPN traffic over UDP to my VPN server on destination port 1194 in the hopes of preventing DDoS attacks to that port whilst still being able to connect to it. I would normally implement a simple whitelist of me and my friends' ips however one of them has a dynamic IP which changes very regularly so constantly updating my firewall to allow traffic from his IP would be somewhat annoying aha. If it could also only allow windows users to connect that would be great as well as me and my two buddies run windows and this would be one more parameter the traffic has to match in order to be accepted. Any help in creating this rule would be greatly appreciated as my cheap little personal VPN for some reason has been DDoS over 5 times this week while my friends and I play GTA - perhaps that's the reason! Thanks in advance to anyone who can chime in here!
I have tried the following rules but unfortunately to no avail:
#Allow packets with the string "OpenVPN" to my connection port then drop remaining UDP traffic to that port
iptables -A INPUT -p udp --dport 1194 -m string --algo bm --string "OpenVPN" --to 65535 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
After flushing my iptables and adding these two rules, I was expecting to be able to connect to my VPN server through OpenVPN but unfortunately I was unable to connect.
There is no simple way to tell if incoming traffic originates from an OpenVPN application or not. The only way to validate that would be to see if the contents of your UDP packet looks like an OpenVPN protocol header, does the size match, does it contain magic numbers or do certain fields contain the values you expect. So it would require fairly intimate knowledge of the OpenVPN protocol to pull that off.
Additionally, UDP is inherently susceptible to DDoS attacks because of UDP amplification. Even if you were to manage the above, its trivial for most DDoS attackers to just saturate your uplink, making any filtering useless.
Switching to TCP will make it a bit more difficult since launching TCP attacks requires more resources for the same amount of traffic and the three-way handshake offers a good place to enforce proper TCP clients and/or implement IP blacklists.
Ultimately, the only real way to deal with DDoS attacks are to seek protection using DDoS mitigation/protection companies like Cloudflare, Akamai, Imperva, ect. which unfortunately are not free most of the time.

How do I apply a traffic limit to those connecting from a specific port with iptables or tc?

To my CentOS server, TCP connection is provided over port 643 and UDP connection is provided over port 6194. I want to add 1 hour drop rule to each IP address that consumes 50MB traffic from each of these ports.
Can I do this using iptables or tc? If I can how do I do it? I don't know enough about the subject, can you help me please?
It is possible to limit incoming and outgoing bandwidth and latency with tc (Traffic Control). This means you can control the throughput, the data amount over time only.
According your description for 50MB/hr you would need to set something like 125kBps for your rate. Since it is bandwidth limitation to make sure that only a specific amount of traffic can be used, there is no time limitation.
Further Questions and Answers on this topic are
Limiting interface bandwidth with tc
Limit network bandwith for an IP
How to limit network bandwidth
A more Advanced Solution could be
Rate limit network but allow bursting per TCP connection before limiting
Even if it is possible to cut of TCP/IP connections via in example cutter tool or set block time with iptables, I am not aware of any production ready solution for controlling the time of a network session. You may also have a look into wondershaper or trickle.

Increase ephemeral ports by adding extra ethernet interface

Is there a way to double the number of ephemeral ports and work around the 16-bit limit? I have tried creating virtual ethernet interfaces over eth0, and hope that would lift the limit. Although the application is utilizing the new virtual IPs in outbound traffic, it seems still hitting the same ephemeral-port limit. I suppose the virtual ports have 1-to-1 mapping to the ports on the physical interface.
ifconfig eth0:1 10.10.10.210 netmask 255.255.255.192
ifconfig eht0:2 10.10.10.211 netmask 255.255.255.192
Could someone please advise how I could double the total number of ephemeral ports in Linux, without adding an extra NIC?
(FYI, I have tried increasing ulimit/max open file, changing the port range, enabling tcp recycle/timestamps, reducing tcp fin timeout... I suppose we simply need more than 65k ports for this proxy machine.)
If you create virtual interfaces over eth0, then you should be able to assign different IP addresses to those interfaces. With that, you can use the same ephemeral port numbers (they are allocated in the kernel, so you dont really have much control) for multiple sockets each bound to different addresses -- you will probably need to set SO_REUSEADDR option. The reason this will work is because for incoming packets (UDP/TCP), the flow is identified by looking at both local source IP and the port number.
And as #Duck mentioned, since TCP/UDP headers allocate only 16 bits for port numbers, there is not much point in increasing the ephemeral range in the local stack.
It's a limitation of the network protocols. Both TCP & UDP, for instance, have 16 bit source and destination ports. Even if you could increase the number of ports no one could address them.
It seems there's a way, but it's not for free. It's called "bind before connect". See this short but dense article, which sums it up very nicely.
Having multiple virtual IPs is just a start. Quoting the linked article:
On Linux the ephemeral port range is a global resource, it's not a specific setting local to an IP address.
So that's bad and you have to improve your starting position with few right settings (where most of them you already found) and get around the global limit with a clever socket allocation technique. The result is that you'll control all the outgoing IPs manually. This also seems not to cope well with other apps on the system using the traditional "connect" way.
It turns out that you cannot use 0 for binding ephemeral port if you want to exceed the 65535 limit. Instead, you need to use an explicit port number.
And also turning on tcp_tw_reuse might be helpful: http://krenel.org/tcp-time_wait-and-ephemeral-ports-bad-friends.html

Using IPSec to block all traffic except web browsing

I am using IPsec to block all protocoles traffic, and allow some ports.
I want to allow Web Browsing while blocking all of the other traffic.
I tried to add rule to allow the 80 port , port 53 as source and destination port through UDP and TCP protocoles, but still in the browser have a DNS error.
Please can you help me?
I don't know IPsec, but in general you cannot limit the source ports. The source ports will be random, and will not likely be 53 or 80. You should limit only the destination ports (80, 53).
The way IPSec works is that all 'block' rules take priority over 'allow' rules. If we ignore the fact you're not using the recommended methods to do what you want to do, you've not configured IPSec properly.
Unfortunately, using this method will be horrible, since you'll have to configure filters to block everything except HTTP, and there's no way of specifying 'everything except something'. I went down this road briefly a few weeks ago, made the same mistake you did, and aborted the whole plan!
I know this is an old question, but it would good to follow it up with the solution you found.

How can configure linux routing to send packets out one interface, over a bridge and into another interface on the same box

I'm trying to test a ethernet bridging device. I have multiple ethernet ports on a linux box. I would like to send packets out one interface, say eth0 with IP 192.168.1.1, to another interface, say eth1 with IP 192.168.1.2, on the same subnet.
I realize that normally you don't configure two interfaces on the same subnet, and if you do the kernel routes directly to each interface, rather than over the wire. How can I override this behavior, so that traffic to 192.168.1.2 goes out the 192.168.1.1 interface, and visa-versa?
Thanks in advance!
This is a guess, but I hope it is in the right direction.
Make more-specific routing table entries, along the lines of:
route add -host 192.168.1.2 dev eth0
route add -host 192.168.1.1 dev eth1
You may also need to fiddle with the accept_local configuration for both interfaces -- or the all setting. (Turning this on may make your machine more susceptible to IP source spoofing attacks; be sure you have good ingress firewall rules elsewhere to prevent trouble.) (See sysctl -a | grep accept_local for what I'm talking about.)
I think you need something like Mac-Vlan in your Linux. This cannot be done with NAT only. Read this: http://www.linuxjournal.com/article/7268.

Resources